LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   VPN easy to setup other than OpenVPN? (http://www.linuxquestions.org/questions/linux-newbie-8/vpn-easy-to-setup-other-than-openvpn-779948/)

qwertyjjj 01-05-2010 05:49 AM

VPN easy to setup other than OpenVPN?
 
Anyone know a VPN solution that is easy to setup?
I cannot get OpenVPN to work and cannot troubleshoot it as not many people use it...even on this forum.
I tried poptup but the documentation is pretty poor.

thePiet 01-05-2010 09:54 AM

Poptop is for as far as I know by far the most easiest to configure VPN solution. As it's PPTP, it also natively supports Windows clients which can be very handy.

Check out http://poptop.sourceforge.net/dox/debian-howto.phtml for a simple howto, I got poptop running within a few minutes with that docs.

qwertyjjj 01-05-2010 10:19 AM

Quote:

Originally Posted by thePiet (Post 3814916)
Poptop is for as far as I know by far the most easiest to configure VPN solution. As it's PPTP, it also natively supports Windows clients which can be very handy.

Check out http://poptop.sourceforge.net/dox/debian-howto.phtml for a simple howto, I got poptop running within a few minutes with that docs.

I'm trying one for centos but similar:
http://blog.doylenet.net/?p=17

I have tried to find my local LAN IP using ifconfig but can't see any 10.x.x.x addresses. Any ideas what to set?

Quote:

[root@localhost ~]# /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 00:19:99:63:5A:A3
inet addr:88.xxx.xxx.xxx Bcast:88.xxx.xxx.xxx Mask:255.255.252.0
inet6 addr: fe80::219:99ff:fe63:5aa3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:563313856 errors:0 dropped:0 overruns:0 frame:0
TX packets:556444717 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2029725969 (1.8 GiB) TX bytes:1714519084 (1.5 GiB)

eth0:0 Link encap:Ethernet HWaddr 00:19:99:63:5A:A3
inet addr:88.xxx.xxx.xxx Bcast:88.xxx.xxx.xxx Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:14757 errors:0 dropped:0 overruns:0 frame:0
TX packets:14757 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3011559 (2.8 MiB) TX bytes:3011559 (2.8 MiB)

Quote:

Scroll down to the area localip and remoteip. So that we can keep routing issues to a minimum, set this to a range in your local LAN. For example, I use 10.0.0.0/24 for my private LAN. 10.0.0.1 is the IP address of my router and VPN server. I set the localip value to 10.0.0.2 and the remoteip range to 10.0.0.200-220, outside the DHCP assigned range.

qwertyjjj 01-05-2010 10:40 AM

I also tried adding the firewall settings to me iptables but iptables failed on restart:
Quote:

FIREWALL AND ROUTING

The only issues now that need to be resolved are routing and firewall issues. This is only relevant if the VPN server is on the same server as your firewall/router. By having the VPN clients on the same subnet as the rest of the trusted LAN, it makes it easier for the client, but slightly harder to configure, as we aren’t dealing with Layer 3. We need to allow the interface ppp0 access to the trusted interface. We will assume eth0 is the trusted interface

iptables -A INPUT -i ppp0 -j ACCEPT
iptables -A FORWARD-i ppp0 -o eth0 -j ACCEPT

This could also be done using the 10.0.0.0/24 range, but this will only work for unicast addresses. To make these statements safe, 10.0.0.0 should be dropped at the external interface as well if not already done so. Its good practice to drop all RFC 1918 private addresses that which have their source address incoming from the external interface. A lot of malformed and spoofed IP packets often have source addresses from the private address range.

iptables -A INPUT -i eth0 -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -s 10.0.0.0/24 -j ACCEPT

Now we need to allow the VPN protocols that will be used to connect and communicate with the VPN server through our firewall. The authentication part of our VPN server uses the PPTP protocol which is on TCP port 1723. Actual data is then transfered using IP protocol GRE (Genertic Routing Encapsulation). Configure the following iptables commands.

iptables -A INPUT -i $external_interface -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i $external_interface -p gre -j ACCEPT
Quote:


*filter
:INPUT DROP [10:568]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5:260]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1057 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 5555 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 1935 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 1 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT


thePiet 01-06-2010 04:23 AM

Hmm, I guess you should read some more about TCP/IP first. For as far as I can see, your box hangs directly to the internet (eth has a 88.x.x.x address). So you have to set up a local network first, map the appropriate ports and apply the following rules to iptables:

iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -s <your PPTP subnet> -j ACCEPT

If you don't need a local network, you can also skip that step and connect directly to the box from the client. What have you configured further?

qwertyjjj 01-06-2010 04:58 AM

Quote:

Originally Posted by thePiet (Post 3815916)
Hmm, I guess you should read some more about TCP/IP first. For as far as I can see, your box hangs directly to the internet (eth has a 88.x.x.x address). So you have to set up a local network first, map the appropriate ports and apply the following rules to iptables:

iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -s <your PPTP subnet> -j ACCEPT

If you don't need a local network, you can also skip that step and connect directly to the box from the client. What have you configured further?

Do I need a local network for VPN?
At the moment, the server just runs as a proxy server but I want to use it first for private VPN connections for myself and then allow extra client VPN.

thePiet 01-07-2010 03:34 AM

Theoretically, you shouldn't need a local network. But, I have no experience with that, I've only set up poptop on a local network behind a gateway / router a few times.

But, it should work without local network. Only difference is that you skip the port mapping step at your gateway.

Again, everything you need regarding documentation is located at http://poptop.sourceforge.net/dox/ . The fact that there is less stuff hanging around the internet regarding poptop, is that everybody gets poptop up and running using http://poptop.sourceforge.net/dox/ :)

So give it a go and post here if you have problems. Take your time!


All times are GMT -5. The time now is 11:22 PM.